Thank you @Vasil Michev. I was missing the Get-AzKeyVaultSecret ... -AsPlainText parameter. This works for me now:
$AzKeyVaultTenant = '<M365 Tenant ID GUID>'
$AzKeyVaultApplicationId = '<Azure Key Vault Application ID GUID>'
$AzKeyVaultCertificateThumbprint = '<LocalMachine Certificate Thumbprint>'
$AzKeyVaultName = '<Azure Key Vault Name>'
$ExoOrganization = '<M365 Tenant fully qualified domain name>'
$ExoCertificateSecretName = '<Azure Key Vault Exchange Online Certificate Name>'
$ExoAppId = '<Exchange Online App ID GUID>'
Connect-AzAccount -Tenant $AzKeyVaultTenant -ApplicationId $AzKeyVaultApplicationId -CertificateThumbprint $AzKeyVaultCertificateThumbprint -ServicePrincipal | Out-Null
$exoKeyVaultCertificateSecret = Get-AzKeyVaultSecret -VaultName $AzKeyVaultName -Name $ExoCertificateSecretName -AsPlainText
Disconnect-AzAccount -Confirm:$FALSE | Out-Null
$exoCertificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList ([Convert]::FromBase64String( $exoKeyVaultCertificateSecret )), '', 'Exportable,MachineKeySet,PersistKeySet'
Connect-ExchangeOnline -Organization $ExoOrganization -AppID $ExoAppId -Certificate $exoCertificate -ShowBanner:$False
(Get-AcceptedDomain | Where-Object { $PSItem.Default }).DomainName
Disconnect-ExchangeOnline -Confirm:$FALSE
